In BIND 9.6.0 one could take an unsigned zone and add an initial KSK and ZSK to it using nsupdate (and if the right files were in the key directory, it would sign everything correctly). In BIND 9.6.1 this no longer works: it returns REFUSED. It's unclear to me whether this change was intended - if so I can't work out which entry in the CHANGES file it corresponds to.
Both 9.6.0 and 9.6.1 give REFUSED if one attempts to delete the last KSK (although they let you remove all the ZSKs). -- Chris Thompson Email: c...@cam.ac.uk _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
